Cybersecurity  threats 
to  Department  of  De¬ 
fense  (DoD)  acquisi¬ 
tion  programs  are  both 
challenging  and  com¬ 
plex.  Program  managers  (PMs) 
have  the  daunting  responsibil¬ 
ity  to  minimize  cybersecurity 
vulnerabilities  in  their  systems 
against  current  and  future  cy¬ 
bersecurity  threats. 

To  effectively  address  cybersecurity  threats  in  DoD  acquisi¬ 
tion  programs,  PMs  need  a  combination  of  the  right  policies, 
processes,  people  and  tools.  Furthermore,  cybersecurity  is 
dynamic  by  nature,  requiring  proactive  engagement  and  ex¬ 
pertise  to  minimize  risk  throughout  the  acquisition  life  cycle. 
Effective  cybersecurity  can  only  be  achieved  through  a  holistic 
approach  that  takes  into  account  more  than  just  information 
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assurance  compliance.  This  holistic  approach  includes  areas 
of  known  cybersecurity  risk  for  DoD  programs  and  provides  an 
effective  framework  for  developing,  planning  and  implement¬ 
ing  an  effective  cybersecurity  strategy.  Such  a  strategy  must 
be  based  on  the  following  expanded  set  of  areas: 

■  Information  Assurance 

■  Hardware/Software  Assurance 

■  Supply  Chain  Risk  Management 

■  Blue  Team— Computer  Network  Defense/Vulnerability 
Analysis 

■  Red  Team— Threat  vulnerability/penetration  testing 

Failure  to  address  all  these  areas  as  part  of  the  cybersecurity 
effort  will  likely  result  in  failure  from  a  cybersecurity  perspec¬ 
tive.  This  article  will  briefly  address  revised  DoD  cybersecurity 
policy  and  highlight  a  unique  Aviation  and  Missile  Research, 
Development  and  Engineering  Center  (AMRDEC)  cybersecu¬ 
rity  initiative  supporting  DoD  PMs. 

New  DoD  Cybersecurity  Policy 

The  focus  and  emphasis  of  cybersecurity  within  the  DoD 
changed  significantly  with  the  release  of  DoD  Instruction 
(DoDI)  8500.01  (Cybersecurity)  and  DoDI  8510.01  (Risk  Man¬ 
agement  Framework  for  DoD  Information  Technology  [IT]). 
A  key  purpose  of  these  revised  instructions  is  an  attempt  to 
align  DoD  cybersecurity  efforts  with  the  best  practices  of  both 
private  industry  and  other  federal  agencies.  By  doing  so,  DoD 
can  leverage  proven  and  effective  processes  to  make  DoD  net¬ 
works  and  systems  more  resilient  against  current  and  future 
cybersecurity  threats.  Another  major  focus  of  the  revised  DoD 
policy  is  to  address  cybersecurity  risk  in  a  manner  that  takes 
into  account  the  unique  challenges  presented  by  such  threats. 

The  revised  DoDI  8500.01,  titled  Cybersecurity,  provides  sev¬ 
eral  changes,  including  a  revised  focus.  The  term  "Information 
Assurance"  is  no  longer  used  and  has  been  replaced  with  the 
term  "cybersecurity."  A  quick  review  of  the  DoD  definition  for 
both  terms  reveals  little  change  in  wording  but  a  clear  change 
in  focus.  First,  the  cybersecurity  focus  has  been  expanded  to 
include  communications  systems,  communications  services, 
wire  communications  and  electronic  communications.  Implicit 
in  the  definition  above  is  an  understanding  that  electronic  and 
wire  communications  are  increasing  at  an  exponential  rate  and 
that  providing  security  for  those  forms  of  communication  is 
extremely  important. 

Additionally,  this  DoD  instruction  places  increased  emphasis 
on  operational  resilience,  integration  and  interoperability. 
This  emphasis  recognizes  the  critical  part  interoperability 
plays  in  the  development,  acquisition  and  fielding  of  DoD 
systems  and  our  ability  to  operate  effectively  on  the  bat¬ 
tlefield.  Finally,  the  term  "cybersecurity"  emphasizes  the 
concept  of  prevention.  Incorporating  cybersecurity  early  in 
the  acquisition  life  cycle  is  both  proactive  and  preventive. 
DoDI  8500.01  advocates  incorporating  cybersecurity  early 
and  continuously  throughout  the  acquisition  life  cycle.  The 


acquisition  life-cycle  process  embodied  in  DoDI  5000.02 
promotes  the  importance  of  "upfront  and  early"  planning  and 
incorporation  of  logistics  to  ensure  program  success.  This 
same  proactive  approach  should  be  used  for  early  incorpo¬ 
ration  of  cybersecurity  in  the  acquisition  life-cycle  process 
and  Is  in  line  with  the  "Shift  Left  Initiative"  advocated  by  Dr. 
Steven  J.  Hutchison,  Acting  Deputy  Assistant  Secretary  of 
Defense  for  Developmental  Test  and  Evaluation. 

According  to  Hutchison: 

The  Shift  Left  initiative  fundamentally  is  about  improving  DT&E 
to  set  the  conditions  for  successful  production  and  deployment. 
Shift  Left  achieves  this  goal  through  earlier  identification  and 
correction  of  failure  modes,  thereby  avoiding  the  high  costs  of 
late  cycle  repair  and  reducing  the  impact  to  our  warfighters  of 
fielding  capabilities  that  do  not  satisfy  requirements.  There  are 
three  key  elements  of  Shift  Left:  earlier  testing  for  interoper¬ 
ability,  earlier  testing  of  Cybersecurity,  and  conducting  DT&E 
in  a  mission  context. 

Early  incorporation  of  cybersecurity  into  the  DoD  acquisition 
life  cycle  will  likely  lower  overall  program  risk  and  lead  to  better 
acquisition  outcomes. 

The  revised  DoDI  8510.01,  Risk  Management  Framework 
(RMF)  for  DoD  IT,  is  DoD's  authorization  process  for  infor¬ 
mation  technology  systems  and  supersedes  the  previous 
process  known  as  the  Department  of  Defense  Information 
Assurance  Certification  and  Accreditation  Process  (DIA- 
CAP).  The  focus  of  RMF  is  on  iteratively  managing  cyberse¬ 
curity  risk  through  a  six-step  process  that  includes  the  key 
component  of  continuous  monitoring.  According  to  Bloom¬ 
berg  Businessweek,  the  recent  cybersecurity  data  breach  ex¬ 
perienced  by  Target  stores  was  the  biggest  in  U.S.  history 
and  primarily  was  due  to  lack  of  continuous  monitoring  and 
response.  RMF  uses  a  risk-based  approach  for  decisions  on 
cybersecurity  versus  the  former  approach  (DIACAP)  that 
focused  on  checklists  and  compliance.  Just  focusing  on  com¬ 
pliance  via  checklists  will  yield  some  benefit  but  does  not 
sufficiently  address  cybersecurity  risk.  The  goal  of  the  RMF 
process  in  DoD  acquisition  programs  is  to  incorporate  RMF 
up  front  and  early  and  in  a  continuous  manner  throughout 
the  acquisition  life  cycle. 

AMRDEC  Cyber  Integrator  Initiative 

AMRDEC  at  Redstone  Arsenal,  Huntsville  ,  Ala.,  is  proac¬ 
tively  supporting  DoD  Project  Management  Offices  (PMOs) 
and  Program  Executive  Offices  (PEOs)  through  several  cy¬ 
bersecurity  Initiatives.  The  recent  shift  in  DoD  cybersecurity 
policy  and  the  language  in  the  2013  and  2014  National  De¬ 
fense  Authorization  Acts  (NDAAs)  are  forcing  PMs  to  proac¬ 
tively  address  cybersecurity  risk  throughout  the  acquisition 
life  cycle.  Acquisition  programs  can  mitigate  cybersecurity 
risk  by  addressing  it  early  in  the  acquisition  life  cycle  and 
by  "widening  the  aperture"  when  developing  the  mandatory 
Cybersecurity  Strategy. 
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A  noteworthy  AMRDEC  cybersecurity  initiative  is  the  concept 
of  a  "cyber  integrator  (Cl)"  added  to  the  PEO/PMO  staff  of 
select  DoD  acquisition  programs.  The  purpose  of  the  Cl  Is 
to  lead  the  cybersecurity  efforts  within  the  program,  which 
includes  effective  integration  of  cybersecurity  across  all  func¬ 
tional  domains,  and  act  as  principal  advisor  to  the  PM  on  all 
cybersecurity  matters.  The  designation  and  empowerment  of 
a  Cl  as  the  "cybersecurity  champion"  within  the  PMO  clearly 
puts  program  cybersecurity  in  an  elevated  and  proactive  pos¬ 
ture.  Cybersecurity  encompasses  additional  components  such 
as  hardware,  software  and  firmware  assurance,  supply-chain 
risk  management.  Blue  Team/Vulnerability  analysis  activities 
and  Red  Team  testing.  These  additional  focus  areas  coupled 
with  the  integration  required  across  all  functional  domains 
necessitate  the  requirement  for  the  Cl. 

The  potential  impact  of  the  Cl  really  comes  Into  focus  through 
the  use  of  the  Cyber  Dashboard,  which  was  developed  by 
AMRDEC  and  is  a  measurement/management  tool  that 
tracks  key  cybersecurity  milestones  and  program  dependen¬ 
cies  across  critical  cybersecurity  focus  areas.  The  Cl  using 
the  Cyber  Dashboard  concept  Is  an  ongoing  pilot  program 
in  the  Integrated  Air  and  Missile  Defense  Program  Office,  an 
ACAT  I  program  in  Huntsville,  Ala.  The  Cl  produces  a  holistic 
view  of  the  system's  cybersecurity  posture  for  senior  lead¬ 
ers  in  the  PMO,  enabling  them  to  make  decisions  based  on 
actionable  information. 

In  addition,  the  Cl  attempts  to  stay  informed  on  all  new  cyber¬ 
security  Initiatives  and  communicates  these  to  the  program 


management.  The  Cl  works  with  the  appropriate  program 
office  resources  to  help  determine  what  support  is  required 
from  outside  agencies  and  coordinates  these  efforts  to  en¬ 
sure  that  cybersecurity  requirements  are  met,  the  overall 
system  cybersecurity  risk  is  effectively  mitigated  and  that  all 
cybersecurity-related  acquisition  life-cycle  requirements  are 
adequately  addressed. 

Cybersecurity  threats  will  continue  to  be  a  significant  threat  to 
DoD  acquisition  programs.  Effective  mitigation  of  cybersecu¬ 
rity  risks  relies  on  several  key  factors.  First,  we  must  continue 
to  look  for  opportunities  to  take  the  fight  to  the  enemy  and  not 
be  complacent  and  defensive.  We  must  maintain  a  proactive 
posture  including  a  situational  awareness  for  new  threats  at 
all  times.  Next,  we  must  look  for  innovative  methods  to  ad¬ 
dress  cybersecurity  risk.  The  Cl  and  Cyber  Dashboard  concept 
constitute  such  an  approach.  By  designating  a  "cybersecurity 
champion"  in  the  Project  Office,  we  are  putting  increased 
emphasis  and  resources  toward  securing  our  systems  against 
cybersecurity  threats. 

Finally,  we  must  identify  and  resource  a  new  and  expanded 
legion  of  cybersecurity  warriors  to  take  the  fight  to  the  enemy. 
We  need  to  find  and  incentivize  personnel  with  the  right  tech¬ 
nical  acumen  and  leadership  to  get  the  job  done.  DAU  and 
AMRDEC  look  forward  to  the  challenge. 


The  authors  can  be  contacted  at  Steve.Mnis@dau.mil  and  Rob. 
Goldsmith@amrdec.army.mil. 


Where  Can  You  Get 
the  Latest  on  the 

Better  Buying  Power 

Initiatives? 


■  BBP  Gateway  (https://dap.dau.mil/bbp)  is  your  source  for  the 
latest  information,  guidance,  and  directives  on  better  buying 
power  in  defense  acquisition 


■  BBP  Public  Site  (https://acc.dau.mil/bbp)  is  your  forum  to  share 
BBP  knowledge  and  experience 
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